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ABSTRACT 

This paper is devoted to deterministic consensus in syn¬ 
chronous dynamic networks with unidirectional links, which 
are under the control of an omniscient message adversary. 
Motivated by unpredictable node/system initialization times 
and long-lasting periods of massive transient faults, we con¬ 
sider message adversaries that guarantee periods of less er¬ 
ratic message loss only eventually. We present a tight bound 
of 2D-I-1 for the termination time of consensus under a mes¬ 
sage adversary that eventually guarantees a single vertex- 
stable root component with dynamic network diameter D, 
as well as a simple algorithm that matches this bound. It 
effectively halves the termination time 4D -|- 1 achieved by 
an existing consensus algorithm, which also works under our 
message adversary. We also introduce a generalized, consid¬ 
erably stronger variant of our message adversary, and show 
that our new algorithm, unlike the existing one, still works 
correctly under it. 

1 Introduction 

We study deterministic distributed consensus in synchronous 
dynamic networks connected by unreliable, unidireetional 
links. Assuming unidirectional communication, in contrast 
to most existing research [10,12], is not only of theoretical 
interest: According to [16], 80% of the links in a typical wire¬ 
less network are sometimes asymmetric. In fact, in wireless 
settings with low node density, various interferers and ob¬ 
stacles that severely inhibit communication, as in disaster 
relief applications [15], for example, bidirectional links may 
simply not be achievable. Moreover, implementing low-level 
bidirectional communication between every pair of nodes is 
costly in terms of energy consumption, delay time and hard¬ 
ware resources. It may hence be an overkill for applications 
that just need some piece of information available at one 
node to reach some other node, as this is also achievable via 
directed multi-hop paths. Obviously, in such settings, algo¬ 
rithmic solutions that do not assume bidirectional single-hop 
communication in the hrst place provide signihcant advan¬ 
tages. 

In this paper, we model directed dynamic networks as syn¬ 
chronous distributed systems made up of n processes, where 
processes have no knowledge of n. In every round, the pro¬ 
cesses attempt a full message exchange and compute a new 
local state based on the messages successfully received in 
the message exchange. The actual communication in round 
r = 1, 2,... is modeled as a sequence of directed commu¬ 
nication graphs , ■ ■ ■, which are considered under the 

control of a omniscient message adversary [1,17]: The mes¬ 


sage adversary determines which messages are delivered and 
which get lost in each round. 

In contrast to [1], where message adversaries are oblivious 
in the sense that they can choose the round graphs arbitrar¬ 
ily from a fixed set of candidates only, this paper, inspired by 
the research in [3,4], considers message adversaries that may 
pick the graphs generated in some round depending on the 
particular round number. Obviously, this allows to model 
stabilizing behavior^ which is not only of theoretical interest 
but also relevant from a practical point of view: Starting-up 
a real dynamic distributed system is likely a quite chaotic 
process, as nodes boot at different times and execute vari¬ 
ous initialization procedures. One can expect, though, that 
the system will operate in a better orchestrated way after 
some unpredictable startup time. A similar effect can be ex¬ 
pected after a period of excessive transient faults, as caused 
by the abundant ionizing particles emitted during heavy so¬ 
lar flares [2,8], for example. In this paper, we hence focus 
on stabilizing message adversaries, which allow hnite initial 
periods where arbitrary graphs may be generated. 

The distributed computing problem considered in this pa¬ 
per is consensus. A consensus algorithm ensures that all 
processes in the system eventually agree on a common de¬ 
cision value, which is computed (deterministically) from lo¬ 
cal inputs. It is an important primitive for any distributed 
application where data consistency is crucial. Unlike in dy¬ 
namic networks with unreliable bidirectional links, where 
solving consensus is relatively easy [12], solving consensus 
under message adversaries that generate unreliable directed 
links is inherently difficult: For example, it is impossible 
to solve synchronous deterministic consensus with two pro¬ 
cesses connected by a pair of lossy directional links [18], 
even when it is guaranteed that only one link can fail in ev¬ 
ery round [19]. Therefore, in order to solve consensus, the 
power of the adversary must be restricted somehow. Ex¬ 
ploring the solvability/impossibility-border for consensus in 
directed dynamic networks is hence an interesting and chal¬ 
lenging topic. 


Contributions 

(1) We present two variants of a “natural” stabilizing mes¬ 
sage adversary, which takes into consideration the eventu¬ 
ally stabilizing behavior that can reasonably be expected 
from real dynamic networks. During some hnite initial pe¬ 
riod, the communication graphs can be (almost) arbitrary: 
In particular, they may contain any number of root com- 


ponents^ (strongly connected components that have no in¬ 
coming edges from outside of the component), which may 
even consist of the same set of nodes (with possibly vary¬ 
ing interconnect topology) for up to D consecutive rounds. 

1 ^ D < n is a system parameter, known to the processes, 
which ensures that information from all members of a sin¬ 
gle root component that remains the same for at least D 
rounds reaches all n processes in the system. The “chaotic” 
initial period ends, at some unknown stabilization round rar, 
when, for the first time, a single root component R occurs 
that consists of the same set of processes for more than D 
consecutive rounds. 

The simple eventually stable forever after variant of our 
message adversary, {>STABLE(D), guarantees that R remains 
a root component in all rounds after Vsi- <}STABLE(D) is 
quite restricted in its behavior after stabilization, but is easy 
to analyze and facilitates an easy comparison of the perfor¬ 
mance (in particular, of the termination times) of different 
consensus algorithms. The rigid properties of OSTABLE(D) 
are relaxed considerably in the case of our message adver¬ 
sary OSTABLE'(D), which just requires that R re-appears, as 
a single root component, in at least D (arbitrary, i.e., non- 
consecutive) rounds in the execution suffix after Vsi + D. 

(2) We prove that no consensus algorithm can terminate 
under OSTABLE(D) (and hence under OSTABLE'(D)) before 
rsi + 2D. Note that the fastest known algorithm to date was 
presented in [4] and also works under 0STABLE(T>). It has a 
termination time of Tsr + 4T> and is hence sub-optimal here. 

(3) We provide a simple consensus algorithm, which matches 
the termination time lower bound of 2D-I-1 under OSTABLE(II) 
and works correctly also under OSTABLE'(H). Note that the 
algorithm from [4] fails under OSTABLE'(II), even though its 
code is considerably more complex. 

Previous results 

In [3], Biely et.al. showed that consensus is solvable under a 
message adversary that generates graphs containing a single 
root component only, which eventually consists of the same 
processes for at least 4D consecutive rounds; the term 40- 
vertex-stable root component has been coined to reflect this 
fact. Note that vertex-stable root components neither imply 
a static network nor a stable subgraph over multiple rounds. 
It has also been shown in [3] that consensus is impossible if 
the adversary is not forced to generate a root component 
that is vertex-stable for at least D rounds. 

In [4], we showed that consensus can be solved under a 
message adversary that may generate multiple vertex-stable 
roots, albeit with a worse worst case termination time and a 
far more complex algorithm. More specifically, the message 
adversary proposed in this paper guarantees root compo¬ 
nents that (i) are eventually stable for at least 4D rounds 
concurrently, and (ii) ensures some distinct information flow 
between successive vertex-stable root components (“major¬ 
ity influence”). The proposed algorithm is gracefully degrad¬ 
ing, in the sense that it solves fc-set agreement for the worst- 
case optimal choice of fc, when consensus {k = 1) cannot be 
solved in the given run. Recall that in fc-set agreement, the 

^Note that root components have already been used in the 
asynchronous consensus algorithm for a minority of initially 
dead processes introduced by Fischer, Lynch and Paterson 
in [9]. 


consensus agreement condition is relaxed such that up to k 
different decision values are permitted. 

Other related work 

Dynamic networks have been studied intensively in distrib¬ 
uted computing (see the overview by Kuhn and Oshman [11] 
and the references therein). Besides work on peer-to-peer 
networks like [13], where the dynamicity of nodes (churn) 
is the primary concern, different approaches for modeling 
dynamic connectivity have been proposed, both in the net¬ 
working context and in the context of classic distributed 
computing. T-interval-connectivity in synchronous distrib¬ 
uted computations has been introduced in [10]. 

Agreement problems in dynamic networks with undirected 
communication graphs have been studied in the work by 
Kuhn et al. [12]; it focuses on the A-coordinated consensus 
problem, which extends consensus by requiring all processes 
to decide within A rounds of the first decision. Agreement 
in directed graphs has been considered in [1,3,4,6,17,19,20]. 
Whereas [6,19] considerably restrict the dynamicity of the 
communication graphs, e.g., by not allowing stabilizing be¬ 
havior, which effectively causes them to belong to quite 
strong classes of network assumptions in the classification of 
Casteigts et al. ]5], the algorithms of [3,4,20] allow to solve 
consensus under very weak network assumptions: [3] only 
admits single-rooted graphs, whereas [4] provides a consen¬ 
sus algorithm that gracefully degrades to fc-set agreement in 
unfavorable runs under a fairly strong stabilizing message 
adversary. Afek and Gafni [1] introduced (oblivious) mes¬ 
sage adversaries for specifying network assumptions in this 
context, and used them for relating problems solvable in 
wait-free read-write shared memory systems to those solv¬ 
able in message-passing systems. Raynal and Stainer [17] 
used message adversaries for exploring the relationship be¬ 
tween round-based models and failure detectors. 

2 Model 

We model a synchronous message passing system as a set 
n of ]n] = n > 1 deterministic state machines, called pro¬ 
cesses. Processes do not necessarily know n but have unique 
identifiers that we pick, w.l.o.g., from the set {1,... ,n}. In 
our analysis, we use a process and its identifier interchange¬ 
ably when there is no ambiguity. Processes operate in lock- 
step rounds, where each round consists of a phase of full 
message exchange, followed by an instantaneous local com¬ 
puting step. Following [3,4], the actual communication in 
round r ^ 1 is according to a digraph^ t/” = {V, E'') con¬ 
trolled by an omniscient message adversary: Each vertex 
in V corresponds to exactly one process of II, and an edge 
from p to q, denoted {p ^ q), is present in iff the adver¬ 
sary permits the delivery of the message sent from p to g in 
round r. We assume that C/” contains self-loops {p —^ p) for 
all p € V, i.e., processes always receive their own message in 
every round. Rounds are communication-closed, i.e., mes¬ 
sages sent in some round r and delivered in a later round 
r' > r are dropped. 

The messages sent and the state transitions performed 
by the processes in a round are guided by a deterministic 
message-sending and state-transition function, respectively, 
which are specified implicitly by algorithms in pseudo-code: 

^ Usually, we sloppily write p € t/”, resp. (p —>■ g) £ 
instead of p £ U resp. {p ^ q) £ i?”. 



The local state of a process comprises all its local variables; 
the message-sending funetion determines the message to be 
broadcast in a round, and the state-transition funetion de¬ 
termines the local state reached at the end of the round, 
depending on the previous state and the set of messages 
received in the round. Most of the time, we will assume 
that the algorithms are full-information, i.e., processes keep 
track of received messages and forward their entire states to 
all processes they can reach in every round. 

In our analysis, p'" denotes the local state of process p at 
the end of round r 1, after its computing step; is the 
initial state at the beginning of round 1. The value of a par¬ 
ticular variable var in p^ is denoted by varp.^ The vector 
of states of all the processes at the end of round r is called 
round r configuration C^-, (7° denotes the initial configura¬ 
tion. An execution, or run, is an alternating sequence of con¬ 
figurations and communication graphs. As our algorithms 
are deterministic, it is uniquely determined by a given initial 
configuration (7° together with an infinite sequence^ of com¬ 
munication graphs which is controlled by a message 

adversary. More generally, any execution segment, starting 
from configuration C"', is uniquely specified by a tuple like 
(<7^, • • •)• An execution is called ad¬ 

missible, if it is in accordance with the message-sending and 
state-transition functions of the processes and the definition 
of the message adversary. 

As in [4], we will restrict the power of a message adversary 
in terms of the properties of the sequences of communica¬ 
tion graphs it may legitimately generate. Consequently, an 
adversary A that has a set of properties Pa can formally 
be specified via the set of its feasible infinite communica¬ 
tion graph sequences A := \ satisfies Pa}- 

We say that an adversary A is weaker than an adversary B, 
resp. that B is stronger than A, if all feasible sequences of A 
are also in B but not vice-versa, i.e., A G B. If A contains 
sequences not in B and B contains sequences not in A, A 
and B are incomparable. An example for two incomparable 
adversaries is the adversary that allows only chains for each 
Q'" and the adversary that allows only circles for each C/’’. 

We say that a problem is impossible under some mes¬ 
sage adversary if there is no deteministic algorithm that 
solves the problem for every feasible communication graph 
sequence. For example, every problem that requires at least 
some communication among the processes is impossible un¬ 
der the unrestricted message adversary, which may generate 
all possible graph sequences: The sequence where 

no C/’’ contains even a single edge is also feasible here. 

We are interested in solving the consensus problem, where 
each process p has an initial value Xp and a write-once de¬ 
cision value Pp in its local state. Formally, the following 
conditions must be met in every execution of a correct con¬ 
sensus algorithm in our setting for p,q £ II: 

(Agreement) If p assigns value Vp to Pp and q assigns Vq to 

Pq, then Vp =Vq. 

(Termination) Eventually, every p assigns a value to Pp. 
(Validity) If p assigns a value v to Pp, then there is some q 

such that Xq = V. 

®Note that, throughout our paper, superscripts usually de¬ 
note round numbers, with the implicit assumption that they 
refer to the end of a round (after the computing step), 
whereas subscripts typically identify processes. 

'^As usual, we denote by (5’')(l^„ the sequence (t/“,..., Q^) 
of communication graphs. 


Dynamic graph concepts 

As in [3,4], the message adversaries considered in this paper 
will focus on root eomponents in the communication graphs, 
which are strongly connected components that have no in¬ 
coming edges. Their importance has already been recog¬ 
nized in the celebrated paper [9] by Fischer, Lynch and Pa¬ 
terson, which also introduces an algorithm for asynchronous 
consensus with a minority of initially dead processes. It 
essentially identifies the (unique) root component in the ini¬ 
tial communication graph formed by the processes waiting 
for first n/2 messages to arrive. 

Definition 1 (Root Component). A non-empty set 
of nodes R G V is called a round r root component of , 
if it is the set of vertices of a strongly connected component 
TZ of t/’’ and Vp € G'',q G R : {p ^ q) G ^ p £ R. 
We denote by roots (f/^) the set of all root components of 
G^, resp. the single root component of G^, and by |i?| the 
number of nodes in R. 

By contracting the strongly connected components of G'", 
it is easy to see that every graph has at least one root com¬ 
ponent (just called “roots” for brevity). Furthermore, if 5” 
contains a single root only, contraction leads to a tree, so 5” 
must be weakly connected in this case. 

Corollary 1. For any directed graph G'~, |roots(C/”)| > 

1, and if |roots(t/’')l = 1, then fj” is weakly connected. 

We call a set of nodes R that forms a root component in 
every communication graph of a sequence (G^)rei a common 
root of this sequence. Note carefully that the interconnect 
topology of the nodes in R, i.e., the root component TZ taken 
as a subgraph of (J”, as well as the outgoing edges to the re¬ 
maining nodes II \ i? in t/”, may be different in every round 
r in the sequence. The index set I of rounds in (G^)rei is 
usually an interval 1 = [a, &] of j/j = 6 — a -1- 1 consecutive 
rounds® (we will call {G^)rei a consecutive graph sequence 
in this case), but can also be an arbitrary index set that is 
ordered according to increasing round numbers. If a consec¬ 
utive graph sequence is maximal wrt. R being its common 
root, we call R a maximal common root. 

Definition 2 (Common root). We say that a sequence 
(0^)re/ has a common root R, iff there exists a root R 
(with possibly different interconnect topology) such that R G 
roots(t/”) for all r G I. If I ~ [a, b] with |7| = 6 — a -|- 1 is 
an interval of consecutive rounds a, a -I- 1,..., b, (G^)rei is 
called a consecutive graph sequence. We call R a maximal 
common root of a consecutive graph sequence (G^)r^a, iff R 
is a common root of {G^)r=a neither of (G^)r=a-i Ror 
{Gl^rtl 

Finally, a graph sequence that has a unique common root 
is called a single-rooted sequence. 

Definition 3 (Single-rooted sequence). We call a 
sequence {G'")rei single-rooted, or R-single-rooted, if there 

®In [3,4], the term I-vertex-stable root component (J-VSRC, 
or alternatively d-VSRC) has been coined for R being a com¬ 
mon root in {G'^)rei with I = [a, a -f d — 1]. We prefer the 
more general term common root of a sequence in this pa¬ 
per, since it aligns better with the focus of our analysis on 
(possibly arbitrary) sequences of communication graphs. 



exists a unique root component R s.t. ^i,j € I : roots(C/*) = 
roots(t/^) = {^}- We call R a maximal single root of a 
consecutive graph sequenee {Q^)rei with I = [a,b], iff R is a 
single root of {Q^)r^a but neither o/ nor 

We now introduce a notion of eausal past, which is closely 
related to the classic “happens-before” relation [14], albeit 
presented in a way that is compatible with the process-time 
graphs used e.g. in [12]. Given some round b, p’s causal 
past CPp(a) down to round a are exactly those processes 
the state of which at the end of round a has affected the 
state of p at the end of round b. 

Definition 4 (Causal past). For a given infinite se¬ 
quence a of communication graphs, we define the causal past 
CPp(a) of process p from (the end of) round b down to (the 
end of) round a as CPp(6) := {p} and for a < £ ^ b, 
CP^(^- 1) := CPli£) U {g € n [ 3(7' € CP^(£) : (<?' ^ 
9) G Q'} 

Note carefully an important consequence of Definition 4: 
By definition, q € CPp(a) implies that the state of q at the 
end of round a is in the causal past of p by the end of round 
b. Since the latter is a direct result of the communication 
graphs up to round b, however, this implies that p must have 
got the information about the round a state of q already 
before it performs its round b computing step, e.g., in a 
round b message. Thus, p can use that information already 
in its round b computation. 

From the monotonic growth of CPp(a) (recall the self¬ 
loops in every Q’'), we can deduce the following corollary: 

Corollary 2. p € CPq(a) implies p € CPq (a) for all 
b' ^ b. Analogously, p € CPq(a) implies that p € CPq(a') 
for all a' ^ a. 

As it will turn out in the next section, the “multi-hop 
delay” of a message sent by some process to reach some other 
process(es), i.e., the speed of information propagation over 
multiple rounds, will be important for solving consensus. 
This is particularly true in the case of a single-rooted graph 
sequence, where the following lemma guarantees an upper 
bound of n — 1 rounds: 

Lemma 1. Let a be a graph sequence containing a se¬ 
quence S = (C/”^, • • •, ofn—1 not neeessarily eonsec- 

utive R-single-rooted communication graphs. Then, for all 
pen-.RF CPp’'-^{ri - 1 ). 

Proof. Pick an arbitrary process p £ 11 , q £ R. We show 
by induction that, for £ £ [l,n — 1], [ CPp""”^ (r„_^)[ > £ or 
q £ CPp”'^ (r^-c). For £ = 1, this follows directly from Def¬ 
inition 4 . For the induction step, we assume that the claim 
holds for £ £ [1, n — 1) and show that it holds for £ -£ 1 as 
well. If the claim holds because q £ CPp”“^ (r„-e), by Corol¬ 
lary 2, we have q £ CPp”“^ (r„_^_i). Thus, assume that 
q ^ CPp"“^ (r„_^) and [ CPp"“^ (r„_£)[ ^ £. If it holds that 
[ CPp"“^(r„_£)[ > £, we get [ CPp”"^ (r„_r_i)[ 5: .^3-1 imme¬ 
diately, so assume that [ CPp”“^ (r„_r)[ = £. Since is 

i?-single-rooted, there is a path from 17 to p in accord¬ 

ing to Corollary 1 . Because q ^ CPp”~^ {r there is some 
process q' on the path from qtop s.t. q' CPp””^ (r„_^) but 
{q' p') £ for some p' £ CPp”"^ (r„_r). By Defini¬ 

tion 4 , CPp"”^(r„_^_i) D CPl"'~^{rn-i) U {q'}. By the in¬ 
duction hypothesis, therefore | CPp”“^ (r„_£_i)| > £3- 1. □ 


Pi Pi Pi 


P2 P3 P4 



P3 Pi P5 P2 Pi P5 P2 P3 P5 
Round 1 Round 2 Round 3 

Figure 1: Example of a communication graph sequence with 
dynamic diameter D = A, despite a small hop distance (di¬ 
ameter = 2) in every single graph. Bold nodes represent 
processes in the causal past CPp 5 ( 0 ). 

In order to specify message adversaries that guarantee 
faster information propagation than guaranteed by Lemma 1, 
we introduce a system parameter called dynamic (network) 
diameter 1 ^ D ^ n — 1. Intuitively, it ensures that the 
information from all nodes in R has reached all nodes in 
the network if D i?-single-rooted graphs have occurred in a 
graph sequence. 

Definitions (Dynamic diameter D). A message ad¬ 
versary MA guarantees a dynamic (network) diameter D, if 
for every graph sequence cr £ MA that contains a subsequence 
S = (5”i, • • •, of D not necessarily eonsecutive R-single- 
rooted communication graphs, it holds that R C CPJ)^ (ri — 1) 
for every p € B. 

It was shown in [3, Theorem 3] that processes need to 
know some estimate of D for solving consensus: Without 
this knowledge, it is impossible to locally verify a necessary 
condition for solving consensus, namely, the ability of some 
process to disseminate its initial value system-wide. Note 
carefully, though, that knowledge of D does not permit the 
processes to determine n in general. 

Definition 5 may lead to the conjecture that a maximum 
hop distance of D between q £ R and p £ 11 in every 
,..., 5”° guarantees a dynamic diameter of D. This 
is not the case, however: Consider, for example, the three- 
round sequence of communication graphs for pro¬ 

cesses pi,... ,P 5 shown in Fig. 1. Herein, is a directed 
tree of height 3, with single root node pi and a single node 
in the second level. In the following rounds, this second level 
node switches places with a new node ^ ps from the third 
level. In this scenario, pi ^ CPp^ (0), even though the length 
of the path from pi to any other process is 2 in every t/”. 

3 A simple stabilizing message adversary 

Recall that the purpose of our stabilizing message adver¬ 
sary is to allow an unbounded (but finite) initial period of 
“chaotic” behavior, where the communication graphs can be 
arbitrary: Unlike in [3], any G’’ may be arbitrarily sparse 
and could contain several root components here. Clearly, 
one cannot hope to solve consensus during this initial pe¬ 
riod in general. Eventually, however, the adversary must 
start to generate suitably restricted communication graphs, 
which should allow the design of algorithms that solve con¬ 
sensus. Naturally, there are many conceivable restrictions 
and, hence, many different message adversaries that could 
be considered here. We will develop two instances in this 
paper, and also relate those to the message adversary intro¬ 
duced in [4]. 



The simple message adversary {>STABLE(_D) defined in this 
section uses a straightforward means for closing the initial 
period, which is well-known from eventual-type models in 
distributed computing: In partially synchronous systems [7], 
for example, one assumes that speed and communication 
delay bounds hold forever from some unknown stabilization 
time on. Analogously, we assume that there is some un¬ 
known round Catab, from which on the adversary must be¬ 
have “nicely” forever. Albeit the resulting message adversary 
is restricted in its behavior, it provides easy comparability 
of the performance (in particular, of the termination times) 
of different consensus algorithms. Moreover, in Section 6 , 
we will show how to generalize OSTABLE(D) to a consider¬ 
ably stronger message adversary OSTABLE'(D), which does 
not require such a restrictive “forever after” property. 

In order to define what “behaving nicely” actually means 
in the case of OSTABLE(D), we start from a necessary condi¬ 
tion for solving consensus in The arguably most 

obvious requirement here is information propagation from a 
non-empty set of processes to all processes in the system. 
According to Lemma 1, this can be guaranteed when there 
is a sufficiently long sub-sequence of communication graphs 
in with a single common root. Natural candi¬ 

date choices for feasible graphs would hence be the very 
same single-rooted graph Q in all rounds r rgtab, or the 
assumption that all C/’’ are strongly or even completely con¬ 
nected (and hence also single-rooted). While simple, these 
choices would impose severe and unnecessary restrictions on 
our message adversary, however, which are avoided by the 
following more general definition (that includes these choices 
as special instances, and hence results in a stronger message 
adversary): 

Definition 6 . We say that has a (unique) FAES- 

common root R (“forever after, eventually single”) starting 
at round rstab ^ 1, iff R is (i) a maximal common root of 
and (ii) a maximal single root of for 

some round rsr ^ rstab- 

^STABILITY contains those communication graph sequences 
that have a FAES-common root R. 

Note that the eventual single-rootedness of {Q'")‘^rstab 
plied by OSTABILITY allows the respective round graphs Q” 
to be very sparse: For instance, each Q” of con¬ 

sisting of a chain with the same head but varying body would 
satisfy the requirement for single-rootedness. 

Whereas the properties guaranteed by ^STABILITY will 
suffice to ensure liveness of the consensus algorithm pre¬ 
sented in Section 5, i.e., termination, it is not sufficient for 
also ensuring safety, i.e., agreement. Consider for instance 
the top run (execution ei) from Fig. 2, where p is connected 
to g in a chain forever, which is feasible for OSTABILITY. 
In any correct solution algorithm, the head p of this chain 
must eventually decide in some round r on its initial value 
Xp. Now consider the execution £ 2 , depicted in the bottom 
of Fig. 2, where p is disconnected until r and Xp 7 ^ Xq. Since 
£2 is indistinguishable for p from £1 until r, process p will 
decide Xp at time r. However, in £ 2 , a chain forms with head 
q p forever after r. Since q is only aware of its own input 
value Xq, it can never make a safe decision in this execution. 

This is why OSTABLE(D) needs to combine OSTABILITY 
with another message adversary STICKY(a;) that enables our 
solution algorithm to also ensure safety. The above example 
illustrates the main problem that we face here: If we allow 


p -.. q p -► q 


p q p - q 

Rounds 1 to T Rounds r + 1 to oo 

Figure 2: Two executions £i (top) and £2 (bottom), indis¬ 
tinguishable for p until r. 

root components to remain common for too many consecu¬ 
tive rounds in the initial period (before rstab), the members 
of such a root component (which does not need to be sin¬ 
gle) cannot distinguish this from the situation where they 
are belonging to the final FAES-common root (after rstab)- 
In [3], this problem was void since all communication graphs 
were assumed to be single-rooted. In the following Defini¬ 
tion 7, we require that every root R that is common during 
a sequence of “significant” length a; -I- 1 is already the FAES- 
common root R. Again, in Section 6 , we will present a sig¬ 
nificant relaxation of this quite restrictive (but convenient) 
assumption. 

Definition 7. STICKY(a:) contains those communication 
graph sequences o = (C/”))!T]^, where every root R that is 
common for > x consecutive rounds in a is the FAES-common 
root R in a. 

We are now ready to define our simple eventually stabiliz¬ 
ing message adversary OSTABLE(D), which is the conjunction 
of the adversaries from Definitions 6 and 7, augmented by 
the additional requirement to always guarantee a dynamic 
network diameter D according to Definition 5: 

Definition 8 . The message adversary OSTABLE(D) = 
STICKY(D) -f OSTABILITY contains those graph sequences of 
STICKY(D) n OSTABILITY that guarantee a dynamic diame¬ 
ter of D. 

For exemplary graph sequences of OSTABLE(D) with D = 
2, see Figs. 3 and 4. Note carefully that Definition 6 allows 
the coexistence of the FAES-common root R with some other 
root component R' R in communication graphs that occur 
before R becomes the single root (in round Csr). However, 
according to Definition 7, R' cannot be common root for 
more than D consecutive rounds in this case. 

In the remainder of this section, we will informally in¬ 
troduce the message adversary VSRC(n, 4Z)) -f MAJINF(fc) in¬ 
troduced in [4].® The latter paper introduced a consensus 
algorithm, which gracefully degrades to fc-set agreement^ in 
less favorable runs. VSRC(n, 40) consists of all graph se¬ 
quences (T, where up to n root components (the maximal 
possible number) are allowed in every graph Q”. In addi¬ 
tion, there must be a consecutive subsequence of graphs 
C a where all root components are com¬ 
mon® and ensure dynamic network diameter D. On the 

®In [4], a network diameter R and a root diameter D are 
distinguished; we set H = D here to ensure compatibility 
with our definitions. 

^In fc-set agreement, the consensus agreement condition is 
relaxed such that up to fc different decision values are per¬ 
mitted. 

^Recall that these common root components are called 4D- 
vertex-stable root components (4D-VSRCs) in [4]. 
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Figure 3: Execution e of Theorem 2, n = 5, D = 2 

other hand, MAJINF(l) guarantees that the first 2_D+1-VSRC 
that occurs in a run dominantly influences every subsequent 
2D + 1-VRSC. This ensures that a decision value possibly 
generated in an earlier 2D + 1-VRSC is duly propagated 
to every subsequent 2D + 1-VSRCs. In the following The¬ 
orem 1, we show that VSRC(n, 4_D) -|- MAJINF(l) is stronger 
than 0STABLE(_D). This implies that the consensus algo¬ 
rithm from [4] works also under OSTABLE(Z)). 

Theorem 1. Message adversary''iSKC{n,‘iD)+Vlk31W{\) 
is stronger than 0STABLE(_D), i.e., VSRC(n, 4_D)-fMAJINF(l) D 
OSTABLE(H) 

Proof. Since both adversaries guarantee the dynamic di¬ 
ameter D, it suffices to show that VSRC(n, 4D) D OSTABILITY 
and MAJINF(l) D STICKY(H) both hold. 

VSRC(n, 4D) D OSTABILITY: Take any feasible sequence a 
of OSTABILITY. By Definition 6, there is some round rsi ^ 
Vstab from which on C a is i?-single-rooted. But 

then also is R-single-rooted and hence a C 

VSRC(n, 4D). 

MAJINF(l) D STICKY(Z)): Pick an arbitrary feasible se¬ 
quence (7 of STICKY(D). If there is a subsequence {Q^)rei of 
o with common root R consisting of > 2D rounds, then it 
follows from Definition 7 that there cannot be a subsequence 
of a with common root R' ^ R consisting of > 2D 
rounds, as R and R' both would need to be the single root 
of Hence, a is trivially in MAJINF(l). □ 

4 Termination time lower bound 

It follows immediately from Theorem 1 that the gracefully 
degrading consensus algorithm from [4] works also under 
OSTABLE(D). According to [4, Lemma 5], it terminates at 
the end of round rsr + 4D, i.e., has a termination time of 
4D + 1 rounds measured from the start of the stable period 
(round rsr). 

From an applications perspective, fast termination is of 
course important. An interesting question is hence whether 
the algorithm from [4] is optimal in this respect. The fol¬ 
lowing Theorem 2 provides us with a lower bound of 2D for 
the termination time under message adversary OSTABLE(D), 
which proves that it is not: There is a substantial gap of 2D 
rounds. 

Theorem 2. Solving consensus is impossible under mes¬ 
sage adversary OSTABLE(D) in round rsr + 2D — 1. 

Proof. We will use a contradiction proof based on the in- 
distinguishablility of specifically constructed admissible ex¬ 
ecutions. Since the processes have no knowledge of H and 
|n|, we can w.l.o.g. assume that n ^ 4 and D < n — 2. 

Assume that an algorithm A exists that solves consensus 
under OSTABLE(D) by the end of round rsr -f 2D — 1. Then, 
A must also solve consensus in the following execution e: In 
e, all processes in H start with input value 0, and all graphs 


in are the same Q. The graph Q is single-rooted with 

R — {pi} and contains a chain C G G consisting of D -f 1 
processes C C H that starts in pi G C and ends in p 2 € 
C. All remaining processes are direct out-neighbors of pi. 
Fig. 3 shows an example of the graph Q used in e for n = 5 
and D — 2. The execution is admissible because its graph 
sequence is feasible for OSTABLE(D) with rsr = rgtab = 1- By 
validity and our termination time assumption, every process 
must hence have decided 0 by the end of round rsr + 2D — 1 
in £. 

We will now construct an execution e' of A, where some 
process in H \ {pi,P 2 } eventually decides 1 albeit the state 
p^rsr-l- 2 D-i process P 2 at the end of round rsr + 2D — 1 
is the same as in e. Thus, e and e' are indistinguishable 
for process P 2 until rsr + 2D — 1. An example of the graph 
sequence used in e' for n = 5 and D = 2 is shown in Fig. 4. 

In e' , let two processes {psjPa} in n\ C have initial value 
1 and all remaining ones have initial value 0. The identical 
graph G' used in consist of the very same chain C as 

in G, and a single edge (p 3 ,p 4 ). Note that G' contains two 
root components, namely Ri — {pi} and R 2 = {ps}. The 
identical graph Q” used in consist of the chain 

C, an additional edge P 2 to pi, and an edge (p 4 ,p 3 ). Again, 
Q” contains two root components, Ri = C and R 2 = {P 4 }. 
Finally, the graph Q'” used in {G^)^2d+i i® G" augmented 
by two edges connecting p 4 to two different process in C. 
Note that it contains a single root R = {p 4 } and guarantees 
a dynamic diameter of (at most) D. 

Clearly, e' is an admissible execution for <}STABLE(D): It 
adheres to OSTABILITY for rsr ~ D 1, when {p 4 } becomes 
a forever common root that becomes single forever starting 
with round 2D -|- 1. It is also feasible for STICKY(D), as 
the only graph sequence that contains a common root for 
more than D rounds, namely, the final one {G^)^ 2 d+ 1 ’ i® 
single-rooted. 

For p 2 , the executions e and e' are indistinguishable for 
the first 2D rounds, because by the end of round 2D, p 2 
cannot have learned of the existence of the edge (p 2 —^ Pi) 
that distinguishes the root components R and Ri involving 
Pi in Q and Q" , respectively: It takes at least D rounds for 
any information, sent by pi, to be forwarded along C to P 2 , 
and Pi cannot have learned about the existence of this edge 
before round D -|- 1. It hence follows that p 2 decides 0 in 
round 2D also in e', as it does so in e. 

In e', by validity and the assumed correctness of A, how¬ 
ever, all processes must eventually decide 1 to solve con¬ 
sensus: The only input value that P 4 ever gets to know 
throughout the entire execution is 1. The same is true in 
the execution e”, which is identical to e' except that the 
input value of all processes is 1. Clearly, p 4 must decide 
1 in e" and, hence, also in e'. This provides the required 
contradiction and completes our proof. 

Above, we have shown the impossibility for the case where 
Vsr = 1 (which would already be sufficient for the claim of 
Theorem 2). Actually, it is not hard extend the proof for 
general Car, by simply prefixing e and e' with the following 
graph sequence tt: In every round Vsr of tt, the graphs 
alternate between G' and Q” , such that the graph in the last 
round of tt is G" ■ The resulting prefixed executions obviously 
still adhere to the message adversary 'C>STABLE(D) and are 
indistinguishable from their respective prefixed counterparts 
for processes P 2 and p 4 . □ 

We will show in the next section that the lower bound 
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established in Theorem 2 is tight, by providing a matching 
algorithm. 

5 A fast consensus algorithm 

We now present our consensus algorithm for the message 
adversary <}STABLE(D), which also works correctly under 
the generalized OSTABLE'(D) that will be introduced in Sec¬ 
tion 6. The algorithm is based on the fact that, from the 
messages a node receives, it can reconstruct a faithful under¬ 
approximation of (the relevant part of) the communication 
graph of every round, albeit with delay D. 

The algorithm stated in Fig. 5 works as follows: Every 
process p maintains an array Qp[r] that holds the graph ap¬ 
proximation of , and a matrix lockp[g][r] that holds the 
history of a special value, the lock-value, for every known 
process q and every round r. G^[r] and lock)(*[g][r] denote 
the content of the respective array entry at the end of round 
m as usual. The first entries of these arrays are initialized to 
the singleton-graph Gp[0] = ({p}, {}) resp. to lockp[p][0] := 
Xp, the input value of p, and to lockp[q'][0] := T for every 
q ^ P- Note that lockp[p][m — 1] can be viewed as p’s pro¬ 
posal value for round m. Every process broadcasts S^~^[r] 
and lock)(*“^ [g] [r] in round m ^ 1, and updates G^[r] and 
lock)(*[g][r], by fusing the information contained in the mes¬ 
sages received in round m in a per-round fashion (as detailed 
below), before executing the round m core computation (we 
will omit the attribute core in the sequel if no ambiguity 
arises) of the algorithm. Note that the round m core com¬ 
putation for m G {1,..., D} is empty. 

In the computation of some round t, p will eventually 
decide on the maximum lockp[g][a] value for all q £ R, where 
i? is a common root of some sequence but not of 

{G^)ria-i j 8-s detected locally in Gp[*]- Note carefully that 
T may be different for processes other than p. 

Two mechanisms are central to the algorithm for accom¬ 
plishing this: First, any process p that, in its round m 
computation, locally detects a single root component R in 
— D] will “lock” it, i.e., assign the maximum value of 
lock(('[g][m — D] for any q £ R to lock™[p][m]. Second, if 
process p detects in round r that a graph sequence had a 
common root R' for at least D -I- 1 rounds in its graph ap¬ 
proximation, starting in round a, p will decide, i.e., set pp 
to the maximum of lock)) [q] [a] among all q £ R'. 

Informally, the reason why this algorithm works is the 
following: From detecting an i?-single-rooted sequence of 
length ^ D -\- 1, p can infer, by the STICKY(D) property of 
our message adversary, that the entire system is about to 
lock p’s decision value. Moreover, by exploiting the infor¬ 
mation propagation guarantee given by Lemma 1, we can 
be sure that, after p’s decision in round r, every other pro¬ 
cess q decides (in some round r' r) on the very same 
value: Under OSTABLE(D), it decides because the root that 
triggered the decision of p is the FAES-common root; under 
OSTABLE'(D), q decides on the same value because it will 


never assign a value different from lockp [p] [r] to lock, \x\ [t''\ 
for any r” t' and any known process x. Finally, termi¬ 
nation is guaranteed since every p will eventually find an 
i?-single-rooted sequence of duration at least D -\-l because 
of OSTABILITY. 

Graph approximation and lock maintenance 

Our algorithm relies on a simple mechanism for maintaining 
the graph approximation C/p[r] and the array of lock values 
lockp[g][r] at every process p: In every round, each process 
p broadcasts its current Gp[*] and lockp[>i=][>i=] and updates 
all entries with new information possibly obtained in the re¬ 
ceived approximations from other processes. In more detail, 
an edge {q —>■ q') will be present in G^lr] at the end of round 
m ^ r if either p — q' and p received a message from q in 
round r, or if p received Gq" [r] for m ^ r" ^ r from some 

process q" and [q —>■ q') £ Gq»[r]. Similarly, lock))*[g][r] 
for r < m is updated to lock^/ [g] [r] ^ T whenever such an 
entry is received from any process q'-, the entry lock™[g][m] 
for the current round m is initialized to lockp[p][m] := 
lockp[p][m — 1] for q — p and to lockp[g][m] := T for every 
<1J^P- 

Note carefully that we assume that the round m compu¬ 
tation of the approximation algorithm is executed before the 
round m core computing step at every process. Therefore, 
the round m approximation Gff [*] is already available before 
the core computing step of round m at process p is executed. 

We do not provide further details of the implementation 
of this graph approximation here; a fitting algorithm, along 
with its correctness proof, can be found in [3,4]. We remark, 
though, that the full-information approach of the above im¬ 
plementation incurs sending and storing a large amount of 
redundant information. Comments related to a more effi¬ 
cient implementation are provided in Section 6. 

The crucial property guaranteed by our graph approxima¬ 
tion is that processes under-approximate the actual commu¬ 
nication graph, i.e., that they do not fabricate edges in their 
approximation. Using our notion of causal past, it is not 
difficult to prove the following assertion about edges that 
are guaranteed to exist in the graph approximation: 

Lemma 2. In a full-information graph approximation pro- 
toeol, q £ CPp (r) holds for r' > r there exists a process 
q' s.t. {q^ q') £ Gp [r"] for some r" G (r, r']. 

Proof, “^’’-direction: If p = g, the claim trivially holds 
because every communication graph contains the self-loop 
{p p). For p ^ q, since we assume g G CP)) (r), by 
Definition 4, there exists a round r” > r, such that 3q' G 
CPp (r") with (g —>■ q') £ G^ ■ Therefore, p must have 
received the round r” state of q' and hence fearned about 
the edge (g ^ q'), by round r'. In other words, (g —>■ q') G 
Gp {x"], as claimed. 

“4=”-direction: Since we assume a full-information proto¬ 
col, p knowing part of the state of another process q' im- 




Figure 5: Round m ^ D + 1 core computation step of our consensus algorithm for process p. Q[r] = G^[r] deuotes p’s round 
m view of provided by the network approximation algorithm. lock[g][r] denotes lock™[g][r], where lock[p][m] represents 
p’s proposal value for the next round m + 1. 


plies that p knows the entire state of q'. Hence, if {q —>■ 
q') G Gp [r”], p knows the state of q' of round r”. Thus 
q' € CPp (r”) with r” ^ r'. From Corollary 2, it follows 
that q G CPp {r" — 1), which implies q G CPp (r) because 
r ^ r". □ 

We now present a more abstract view on this mechanism 
of approximating the communication graph. First, we an¬ 
swer which state information a process needs in order to 
reliably detect which roots are present in the actual com¬ 
munication graph. 

Lemma 3. Let R G roots(0’') and let there be some pro¬ 
cess p and round r' such that R C CPp (r). In a full- 
inf ormation graph approximation protocol, R G roots(^p [r]). 
Furthermore, there exists a process q' s.t. {q q') G Gp \r"] 
for some r < r” ^ r'. 

Proof. Since R C CPp (r), according to Corollary 2, by 
the end of round r', p has received the round r state q^ of 
all processes q £ R. In particular, p has received all round r 
in-edges of every process q. Hence, Ris a, strongly connected 
component of Gp [r] and there are no processes q' G n\i? s.t. 
{q' q) £ Gp [r]. But then, R G roots(0p [r]), as asserted. 
The presence of {q —>■ q') in Gp \r"] follows directly from 
Lemma 2. □ 

We conclude our considerations regarding the graph ap¬ 
proximation by looking at what is sufficient from an algo¬ 
rithmic point of view for a process p to faithfully determine 
the root components in some communication graph. In the 
case where a root component R G roots(t/’') has size |i?| > 1, 


we note that as soon as a process p knows, in some round r', 
at least one in-edge {q' q) £ Gp [r] for each q £ R, then p 
knows (/’’ and hence all in-edges of q. Consequently, it can 
reliably deduce that iudeed R G roots(t/'^). 

In the case where |i?| = l{g}| = 1, if p has no edge {q' 
q) G Gp [r], this is not sufficient for concluding that {g} G 
roots(C/’^): Process p seeing no in-edge to a process q in 
the local graph approximation Gp [r] happens naturally if 
q G CPp (r — 1) and q ^ CPp (r), i.e., when the last message 
p received from q was sent at the beginning of round r. 
In order to overcome this issue, process p must somehow 
ascertain that it already received the state q’’ of process q 
in round r. In particular, process p can deduce this directly 
from its graph approximatiou as soon as it observed some 
outgoing edge from g in a round strictly after r. 

Let us state this more formally iu the following lemma. 

Lemma 4. Consider a full-information graph approxima¬ 
tion protocol. Let R G roots(C/p [r]) for r' > r, and let, for 
all processes q £ R, there be a process q' and a round r” G 
(r,r'], such that {q —>• q') £ Gp [r"]- Then, R £ roots(C/’’), 
and R C CP;'(r). 

Proof. By contradiction. Assume that R G roots(t/p [r]), 
Vg £ R3q' £ n,r" G (r,r']: (g g') G Gp [r”] and R ^ 
roots(t/'^). Because of the latter, there exist some processes 
q £ R aud q" ^ R with (g" q) £ G’"- By the preseuce 
of the edge (g —> q') iu Gp \r”] and Lemma 2, we have R C 
CPp (r). But theu, by the assumption that (g" q) £ G^, 
it must also hold that (g" q) £ Gp [r]. This, however, 
coutradicts that R G roots(t/p [r]). □ 












Finally, the way how the lock arrays are maintained by 
our algorithm implies the following simple results: 

Corollary 3. If r' > r, then q € CPp (r) implies that 
also lockp [g][r"] = lockj [<?][r”] for all rounds r" ^ r. 

Lemma 5. Let m be a round reached by process p in the 
execution. Then, lockJJ*[p][r] ^ _L for all 0 ^ r ^ m. 

Proof. Since lockp[p] [0] = Xp , it follows from the update 
rule lockp [p][m] := lockp [p][m — 1] that lockp [p][m] ^ ± 
for all reached rounds m, provided that the core algorithm 
never assigns _L in bl. Since the latter can only assign the 
maximum of lockp [g] [a] for all g £ i? from some earlier 
round a ^ m — D < m, the statement of our lemma follows 
from a trivial induction based on Corollary 3, provided we 
can guarantee g € CPJJ*(a). The latter follows immediately 
from cl in conjunction with Lemma 4, however. □ 

Correctness proof 

Before proving the correctness of the algorithm given in 
Fig. 5 (Theorem 3 below), we first establish two technical 
lemmas: Lemma 6 reveals that our algorithm terminates 
for every message adversary MAT that guarantees certain 
properties (without guaranteeing agreement, though). The 
complementary Lemma 7 shows that our algorithm ensures 
agreement (without guaranteeing termination, though) for 
every message adversary MAA that guarantees certain other 
properties. Theorem 3 will then follow from the fact that 

<>stable(L)) c mat n maa. 

Lemma 6. The algorithm terminates by the end of round 
T under any message adversary MAT that guarantees dynamic 
diameter D in conjunction with the following properties: For 
every a € MAT, 

• there is an R-single-rooted sequence (C/'’)f^„ £ cr with 
P — a 1 > D. 

• there is a round r such that R C CPp(/3), for allp £ B. 

Proof. We show that if process p has not decided before 
round r, it will do so in round r. By round r, every process 
p £ n received g^ for all g £ i? by the assumption that 
R C CPp(/3). Hence, by Lemma 3 and Lemma 4, for every 
p £ n, it holds that R is the single root of roots((/p [/3]). 
Furthermore, by Corollary 2, i? is in fact the single root of 
roots(t/p [r]) for any r £ [a, /3]. Therefore, process p will pass 
the check c 2 in round r. 

In addition, by the assumption that R C CPp(/3) and 
Lemma 3, for every q £ R, there exists a round /3' £ (/3,r], 
s.t. {q ^ q') £ Gp[P'] for some process g'. Therefore, process 
p will pass the check c3 in round r and decide. □ 

Lemma 7 below shows that, under message adversaries 
that guarantee a ECS(D + l)-common root according to Def¬ 
inition 9, the algorithm from Fig. 5 satisfies agreement. 

Definition 9. We say that a graph sequence ho,s 

a ECS(a;-|-l)-common root (“embedded consecutive sin¬ 
gle common root”) R, if (i) (C/’')“f!r„ has a common root R 
and (a) C (C/’’)“+^ has a .single root R. 

Lemma 7. Let MAA he a message adversary that guaran¬ 
tees, for every a £ MAA, a dynamic diameter D in conjunc¬ 
tion with the property that the first subsequence {G”)r^a ^ ^ 


with a maximum common root R and (3 — a -\-l > D has a 
ECS(D -I- l)-common root. Under MAA, if two or more pro¬ 
cesses decide in our algorithm, then they decide on the same 
value 7 ^ T. 

Proof. Let a' and /3', with P' — a' -\-1 > D, delimit the 
maximal period where R is single-rooted, as predicted by 
Definition 9. 

Setting A = maxqgrj lock“[g][a], we show that if an ar¬ 
bitrary process p decides in round r, it decides on A and 
A 7 ^ T. Assume that p decides in some round r. It follows 
from c2 and c3 that p detects in round r that R' is the single 
root of {Gp[r])*(^^, with 6 ' — a' -|- 1 > D, and that, for every 
g £ R', there is a round 7 > fe' where there is an edge (g, q') 
in Gp(y] for some process q' £ H. By Lemma 4, we have 
that R' £ roots(C/’^) for all r £ [a',b'], and R' C CPp( 6 '). 
Thus, Corollary 3 in conjunction with Lemma 5 confirm that 
indeed A yf T. We distinguish two cases: 

Case 1 . [a',h'\ C [a,/3]: From the definition of MAA, in 
combination with the fact that 6 ' — a' -|- 1 > D, it follows 
that R' = R: if this was not the case, then either (C/’’)(?^„ 
would not be the hrst sequence of its kind or would 

not be i?-single-rooted. 

By b3, p will decide on the maximum of lockp[g][a"], 
where a" is a round such that (^p[t])^^„// has a maximum 
common root R, \a”,h”] 3 [a',b'], and q £ R. Hence, since 
R C CPp(fe') and a < fe', it follows from Corollary 2 that 
R C CPp(a). Thus, by Lemma 3, we have a" = a. Accord¬ 
ing to Corollary 2 in conjunction with Corollary 3, it follows 
that p indeed decides on A. 

Case 2. [a',b'] ^ [a,/?]: First, observe that a' > P': If 
a' ^ P' then, because {G”)r=a is the first sequence of its 
kind, we have that a' p a. Thus, since is 77-single- 
rooted, R' = 77, and hence [a', b'] ^ [a, p] is a contradiction 
to the assumption that 77 is maximal common in {G^)r=a. 

It follows from this observation and b3 that p decides on 
the maximum value of lockp [g] [a"] for g £ 77', where a" > 
P' . Thus, to conclude our proof, it suffices to show that 
lockp [p][r] = A for all rounds r > p' and all processes p £ H. 

Since is 77-single-rooted, it follows from Def¬ 

inition 5 and Lemma 3 that in round P' every process p 
sets lock^ [p][/3^] to A via bl. Moreover, if a process assigns 
a value to lockp[p][m] during some round m £ {P' , P' -\- 
D] via bl later on, it follows from the single-rootedness of 
{G^)^^pi_P) and Lemma 4 that the assigned value is also A. 

For I P' -\- D, we show by induction on t that A is as¬ 
signed to lockp[p][m] (if there is any assignment at all), in 
round m, for all m £ [P',t] and all processes p. The in¬ 
duction basis is i = p' -\- D, for which the claim has been 
established already. For the induction step, assume that 
the claim holds for the interval [P', I] and all p. If no pro¬ 
cess p changes its lock value in bl during the core round 
I-\-l computation, i.e., lockp[p][£] = lockp+^[p][£-|- 1 ], then 
the claim follows immediately from the induction hypothe¬ 
sis. Thus, assume that A = lockp [p][£] 7 ^ lockp'''^[p][€ -I- 1]. 
This means that p has successfully passed cl and hence, by 
Lemma 4, that there is a root 77" £ roots)!/^"*"^”^) with 
77" C CPp”*"^)^ -f 1 — 77). If 77" = 77 is a maximal common 
root of (G’’)r=a, by Corollary 2 , it follows from the definition 
of A and Corollary 3 that p assigns lockp+^[p][£ -|- 1] := A. 
Therefore, assume that this is not the case, i.e., 77" yf 77. 



Still, R" must be a maximal common root in for 

some a" > P' with a” ^ i -\- 1 — D. By the induction hy¬ 
pothesis, lockq'''^“^[(jr][r] = A for every process q of R” and 
round r £ [/3^ £] and so, in particular, = A. 

It follows from Corollary 3 and R” C CPp'^{i -I- 1 — D) that 
for all processes q G R", we have lockp''"^[g][a”] = A. There¬ 
fore, since, by bl, p chooses its new value for lockp"*"^ [p] [i-\- 1] 
as the maximum of the entries lockp"*"^[q][a"], it assigns 
lockp+^[p][€ -I- 1] ;= A. □ 

Theorem 3. The algorithm from Fig. 5 solves consensus 
by round rsr+ 2D under message adversary 0STABLE(_D). 

Proof. According to b3, a process p can decide only on 
a value in lock™[p][*] in some round m. By Lemma 5, this 
value must be ^ T. Since lock5[g][0] is initialized to Xq for 
any process q, and the only assignments T to any lock, 
entry are lock,/ entries of other processes, validity follows. 

For agreement, recall that STICKY(iA) guarantees that the 
first sequence {G^)rei with a common root R and |7| > D 
must be the FAES-common root. Hence, agreement follows 
from Lemma 7. 

For termination, recall that OSTABILITY guarantees the 
existence of some round Fsr Fstab such that is 77- 

single-rooted. This implies that the sequence is 77- 

single-rooted and, by Definition 5, 77 C CPp“''"^^(rsr + D). 
Lemma 6 thus implies termination by round Vsr + 2D. □ 

6 Generalized stabilizing message adversary 

The simple message adversary introduced in Section 3 may 
be criticized due to the fact that the first root component 77 
that is common in at least 77-1-1 consecutive rounds must 
already be the FAES-common root that persists forever after. 
In this section, we will considerably relax this assumption, 
which is convenient for analysis and comparison purposes 
but maybe unrealistic in practice. 

In the following Definition 10, we start with a significantly 
relaxed variant {>STABILITY'(a:) of OSTABILITY from Def¬ 
inition 6: Instead of requesting an infinitely stable FAES- 
common root 77, we only require 77 to be (i) a ECS(® -|- 1)- 
common root that starts at rstab and becomes single at 
rsr ^ rstab, and (ii) to re-appear as a single root in at least D 
not necessarily consecutive later round graphs G^^ , • • •, G^^ ■ 
Note that, according to Definition 5, the latter condition 
ensures 77 C CPp°(rar + x) for all p G H if OSTABILITY'(a;) 
adheres to the dynamic diameter 77. 

Definition 10. Every communication graph sequence a G 
OSTABILITY'(a:) contains a subsequence {G^)rii, which has 
a ECS(a; -I- 1) -common root 77; let rstab = a be its starting 
round and rsr = a' be the time when it becomes single. Fur¬ 
thermore, there are at least 77, not necessarily consecutive, 
R-single rooted round graphs G^^ , • • •, G^’^ with rsr -I- a; < 
r\ < ■ ■ ■ < ro in a. 

Moreover, we also relax the STICKY(a;) condition in Def¬ 
inition 7 accordingly: We only require that the first root 
component 77 that is common for at least a; -I- 1 consecutive 
rounds in a graph sequence a = (G'^)^i is a ECS(x -I- 1)- 
common root: 

Definition 11. For every a G STICKY'(a;), it holds that 
the earliest subsequence in a with a maximal common root 77 


in at least x-\-l consecutive rounds actually has a ECS(a;-|-l)- 
common root. 

Combining these two definitions results in the following 
strong version of our stabilizing message adversary. 

Definition 12. The strong stabilizing message adversary 
0STABLE'(77) = STICKY'(7)) -|-0STABILITY'(77) contains all 
graph sequences in STICKY'(77) n {>STABILITY'(77) that guar¬ 
antee a dynamic diameter of D. 

Note carefully that the very first ECS(77-|- l)-common root 
77' occurring in u G {>STABLE'(77) need not be the ECS(77-|-1)- 
common root 77 guaranteed by Definition 10. 

The following Lemma 8 shows that the message adversary 
0STABLE'(77) is indeed weaker than {>STABLE(77). This is not 
only favorable in terms of model coverage, but also ensures 
that an algorithm designed for {>STABLE'(77) works under 
0STABLE(77) as well. 

Lemma 8. 0STABLE(77) C 0stable'(77) 

Proof. Pick any graph sequence cr G 0STABLE(77). Since 
(T G ^STABILITY, there exists a round Car Catab such 
that is 77-single-rooted. But then {G'~)pS:tsf is 

also 77-single-rooted and there is a set of 77 additional com¬ 
munication graphs S — ^ gi'sr+ 2 £)| 

every G'~ (z S is also 77-single-rooted. Hence, cr satisfies 
0STABILITY'(77). 

Furthermore, cr satisfies STICKY(77). Thus, for the first se¬ 
quence {G^)ria with common root 77, 77 must already be the 
FAES-common root and hence {G^)‘^rsr is 77-single rooted for 
some Tar ^ a. Consequently, 77 is a ECS(a; -I- l)-common root 
starting at a. Hence, cr satisfies STICKY'(77). □ 

The following Theorem 4 shows that the algorithm from 
Fig. 5 also solves consensus under the stronger message ad¬ 
versary {>STABLE'(77): 

Theorem 4. For a graph sequence a G {>STABLE'(77), let 
G ^^, • • •, G'^^ with n > rsr + D denote the 77 re-appearances 
of the ECS{D-\-l)-common root 77 guaranteed by ^STABILITY' 
according to Definition 10. Then, the algorithm from Fig. 5 
correctly terminates by the end of round t = ro- 

Proof. The proof of validity in Theorem 3 is not affected 
by changing the message adversary. 

For the agreement condition, recall that STICKY'(77) guar¬ 
antees that the first sequence {G^)rei with common root 77 
in 77-1- 1 consecutive rounds has a ECS(77-|- l)-common root. 
Hence, we can again apply Lemma 7 to prove that the algo¬ 
rithm satisfies agreement. 

For the termination condition, recall that for any sequence 
cr G OSTABILITY'(77) it is guaranteed that there exists some 
round rsr s.t. {G^)r=ts^ is 77-single-rooted. Furthermore, 
a contains at least 77 not necessarily subsequent 77-single 
rooted communication graphs after rsr + 77. The latter im¬ 
plies, by Definition 5, that 77 C CPp (rsr + 77) for every pro¬ 
cess p G H. Hence, we can again apply Lemma 6, which 
shows that the algorithm indeed terminates by round r. □ 

By contrast, the algorithm from [4] does not work under 
0STABLE'(77). Under an appropriate adversary, this algo¬ 
rithm ensures graceful degradation from consensus to gen¬ 
eral fc-set agreement. This does not allow the algorithm to 



adapt to the comparably shorter and weaker stability peri¬ 
ods of {>STABLE'(_D), however. In more detail, VSRC(n, 4D) 
requires a four times longer period of consecutive stability 
than OSTABILITY'(D). The adversarial restriction MAJINF(fc) 
that enables fc-agreement under partitions in [4] for fc > 1, on 
the other hand, is very weak and thus requires quite involved 
algorithmic solutions. Nevertheless, despite its weakness, it 
is not comparable to STICKY'(D). 

Impossibility results and lower bounds 

The proof of Theorem 4 indicates that two things are needed 
in order to solve consensus under a message adversary like 
OSTABLE'(D): There must be some subsequence with a sin¬ 
gle root component R in at least a: -I-1 rounds, and, for every 
process in the system, there must be some round r such that 
R appears in the causal past . Looking more 

closely at the message adversary OSTABLE'(II), it is hence 
tempting to further weaken it by instantiating STICKY'(x) 
with some x > D and/or OSTABILITY'(a:) with some x < 
D. There is, however, a fundamental relation between the 
STICKY'(a;) and OSTABILITY'(a;) conditions: Weakening one 
condition requires strengthening the other, and vice-versa. 

To further explore this issue, we introduce the message 
adversary MA(a;,t/), which consists of the graph sequences 
in sticky'( a;) PI OSTABILITY'(i/) that guarantee a dynamic 
diameter D. The following Theorem 5 reveals that solving 
consensus requires y ^ x. 

Theorem 5. Solving consensus is impossible under mes¬ 
sage adversary MA{x,y) for x > y. 

Proof. Since the processes have no knowledge of 11 and 
|n|, we can again w.l.o.g. assume that n ^ 4 and D < n — 2. 

Assume for a contradiction that some algorithm A ex¬ 
ists that solves consensus under MA(a;,y) for x > y, and 
hence also in the following execution e with graph sequence 
ct: Every process starts with input value 0 and, for the first 
X ^ 2/-I-1 rounds, is i?-single rooted. Then, the com¬ 

munication graphs alternate between being i?'-single-rooted 
and i?-single-rooted for some root R' ^ R. Additionally, 
there are two distinct processes p and q that have only in¬ 
coming edges throughout the entire execution e. The actual 
communication graphs outside R are such that a has a dy¬ 
namic diameter D. 

Since every t/’’ in a is single-rooted, the latter is feasi¬ 
ble for 0STABILITY'(2/), with Tstab = 1 and the communi¬ 
cation graphs •.., where R re-appears D 

times. In addition, as a does not contain any root com¬ 
ponent that is common in more than x rounds, it trivially 
satisfies STICKY'(x) as well. By the assumed correctness of A 
under MA(a;,i/), there is hence some round r by which every 
process must have terminated correctly. 

Now consider the following execution e', with graph se¬ 
quence a': Each process of 11 \ {p, q} starts with input value 
0, while p and q start with 1. Eor every G^ of (G^)r=i in 
a', the induced subgraph of 11 \ {p,q} is the same as in a. 
By contrast, the processes p and q are now connected only 
with each other: There is an edge {q,p) in every G'" and an 
edge {p, q) in every G^ where r is even. Einally, the graph 
sequence (G^)^r+i forever repeats the star-graph G, where 
the center p has no in-edges and an out-edge to every other 
process. 

Clearly, a' is feasible for 0STABILITY'(2/), with Tstab = 
r -f 1 due to the star-graph sequence (G^)^t+i- Moreover, 


(G^}^t+i is the only subsequence of a' with a common root 
R and a longer consecutive duration than x. Since R is 
a ECS(a: -I- l)-common root of cj' is feasible for 

sticky'( x). Since also the dynamic diameter D is adhered 
to in cr', we have thus that a' is feasible for MA(a;,i/). 

Observe that all processes of n\{p, q} have the same state 
in both e and e' at the end of round r. Hence, all decide 
0 in e' as they do in e. Eor p and q, e' is indistinguish¬ 
able from the execution e", which applies a' to the initial 
configuration where every process started with input value 
1. Consequently, p cannot make a safe decision in e': If it 
decides 1, it violates agreement w.r.t. e, if it decides 0, it 
violates validity w.r.t. e". This contradicts the assumption 
that A is a correct consensus algorithm. □ 

Essentially, the proof of Theorem 5 exploited the obser¬ 
vation that the members of a root component R cannot dis¬ 
tinguish whether they belong to the single root component 
guaranteed by 0 STABILITY'(j/) after Tstab, or to a (possi¬ 
bly non-single) “spurious” common root my-\-l consecutive 
rounds generated my MA(a:, y) before rgtab- Note that this is 
closely related to the argument used for defending the need 
to introduce STICKY(a:) in Definition 7 (recall the graphs de¬ 
picted in Fig. 2). 

In the light of Theorem 5, {>STABLE'(D) is hence the strong¬ 
est eventually stabilizing variant of MA(a;,y) for x D we 
can hope to find an algorithm for. Note that it would not be 
difficult to adopt the algorithm introduced in Fig. 5 to work 
under MA(a;, y) for general y x ^ D, though. Answering 
the question of whether it is possible to solve consensus for 
X < D is a, topic of future research. 

Finally, Theorem 6 provides a termination time lower bound 
for consensus under OSTABLE'(D). The result itself is actu¬ 
ally a direct consequence of the fact that {>STABLE(D) C 
OSTABLE'(T)) (Lemma 8) and Theorem 2. We now provide a 
more involved argument showing that the result holds even 
for arbitrary choices of rsi and {ri,..., ro}. 

Theorem 6. For a graph sequence a G {>STABLE'(L)), let 
0”!,..., G^° with ri > Vsr-i- D denote the D re-appearances 
of the ECS{D-\-l)-common root R guaranteed by ^STABILITY' 
according to Definition 10. Then, no correct consensus al¬ 
gorithm under the message adversary {>STABLE'(L)) can ter¬ 
minate strictly before round ro- 

Proof. We assume w.l.o.g. that n > 4 and D < n — 3. 
Furthermore, we do not let the adversary choose rsi and 
{ri ,... ,ro}, which results in an even stronger impossibility 
result. 

First, let us define some communication graphs that we 
employ later on. For any graph G, let G denote the sub¬ 
graph of G induced by H \ augmented with the 

edge (pn-i,Pn). Let G be the same as G except that the di¬ 
rection of this edge is reversed. In addition, let G' be a graph 
where D -|- 2 processes of H \ constitute a chain 

C (actually, a tree), with head pi and two tails pn-s,Pn- 2 , 
where the processes of H \ C only have incoming edges. Let 
G" be the same as G' , except that the direction of all the 
edges in C is reversed and there is an edge e = {pn- 3 ,Pn- 2 ) 
in G” ■ Let G"' be the same as G” but with reversed direction 
of this edge e. 

For a contradiction, assume that an algorithm A exists 
that solves consensus in a round r ro — L Then, A 
must solve consensus also in the following execution e: Let 



all processes start with input 0, and construct cr = 
as follows: For r ^ {ri,...,r_D} and 1 Si r < rsr or r > 
Vsr + D, ii r is even, let — Q"; if r is odd, = Q'”. For 
fsr ^ r < Tsr + -D Or r £ {n,..., ro}, let Q"' = 5'. Clearly, 
(T € <}STABLE'(_D). By validity and the assumptions on A, 
all processes of II must decide 0 by round r. 

We now define another execution e', where all processes 
in n \ {pn-i,Pn} start with 0 and p„-i and pn start with 
1. The graph sequence a' of e' is the same as o until round 
T, except that every C/’’ of g is replaced with if r is even 
and C/’’ if r is odd. Moreover, Q' in round rsr + D is not 
only replaced with Q’, but also augmented with a single 
edge (p 2 ,pi). Finally, let the of in a' be a 

star-graph with an out-edge from p„ to every process of II. 
Again, note that a' £ {>STABLE'(II). 

Observe that, in a', for any round r < r_D, it holds that 
Pi 0 CPp"^ 2 ^(r). Hence, until round r, e is indistinguish¬ 
able for Pn -2 from the execution e'. In particular, p „-2 can 
not have learned about the existence of the edge (p 2 ,pi) in 
g^Br+D_ Therefore, since p „-2 decides 0 in round r in e, it 
does so also in e'. This, however, means that p„ can never 
make a safe decision in e': In order to satisfy agreement it 
should decide 0. However, since p„ never hears from process 
that had input 0, e' is indistinguishable for pn from an execu¬ 
tion e”, which has the same graph sequence a' but where all 
processes have input 1. In order to satisfy validity, it should 
decide 1 in e". This provides the required contradiction. □ 

More efficient algorithms 

Throughout our paper, we have assumed a full-information 
protocol where, every round, a process stores and forwards 
its entire known state history. While this is a convenient 
abstraction for introducing the fundamental concepts of our 
algorithm and a valid assumption for any impossibility re¬ 
sult, it is of course highly unpractical. 

We can name two major improvements related to this is¬ 
sue. For simplicity, we only discuss the graph approximation 
here and not the matrix lockp of lock values. It is not hard 
to see that arguments for the former extend in a natural way 
to the latter. 

First, it has already been shown, via the graph approx¬ 
imation algorithm used in [3], that it is sufficient to store 
and forward the local graph approximation history of each 
process in order to faithfully approximate the communica¬ 
tion graph sequence. In round r, this requires up to O(rn^) 
local memory space at every process. 

Second, the question arises whether it is indeed necessary 
to maintain (an approximation of) the entire communication 
graph sequence. In the case of OSTABLE(D), it is perfectly 
possible to locally store and forward only a relatively small 
part of the graph approximation: Since the largest possible 
latency for a process to detect the start of a single-rooted 
graph sequence of duration D + 1 is D rounds, it suffices to 
maintain only the last 2D+1 rounds of the graph approxima¬ 
tion history. This optimization yields a memory complexity 
of 0{Dn^) = 0{n^) by Lemma 1. 

In the case of <}STABLE'(II), there is a tradeoff between 
the strength of the adversary and the memory complexity 
required by the algorithm. The principal issue is that if we 
allow the algorithm to purge the graph approximations for 
all but the last x rounds, then the adversary could generate 
a run with a “terminating” ECS(II + l)-common root R with 
td > rsr -k H -k X, recall Definition 10. In this case, process 


p £ n in round td would not have its causal past down to 
round rsr + D available, which is mandatory for detecting 

R. 

A straightforward remedy would be an additional restric¬ 
tion to be enforced by the message adversary, which must 
ensure vd ^ rstab + D + x for some given additional param¬ 
eter X. A message adversary weakened in such a way would 
entail a memory complexity of 0{xn^) for our consensus al¬ 
gorithm. 

7 Conclusion 

We introduced an eventually stabilizing message adversary 
for consensus in a synchronous dynamic network with di¬ 
rected communication. Such a model closely captures the 
behaviour of a real network with arbitrarily irregular inter¬ 
connection topology for a finite initial period, before it even¬ 
tually starts to operate in a reasonably well-orchestrated 
manner. 

Our message adversary eventually asserts a single strongly 
connected component without incoming edges from outside 
the component, which consists of the same set of processes, 
with possibly changing interconnection topology, either for¬ 
ever ({>STABLE(II)) or, in a generalized and stronger vari¬ 
ant, for a certain number of (partly consecutive) rounds 
(OSTABLE'(D)). We established that no deterministic algo¬ 
rithm can terminate earlier than 2D + 1 rounds after sta¬ 
bilization in some execution under OSTABLE(D), where D is 
the dynamic network diameter guaranteed by the message 
adversary, and provided a matching algorithm, along with 
its correctness proof, that even works under OSTABLE'(D). 

Part of our future work in this area will be devoted to 
finding even stronger message adversaries for stabilizing dy¬ 
namic systems, and to the development of techniques for 
exploiting them algorithmically. 
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